SWIFT Client Connectivity on the AWS Cloud

Quick Start Reference Deployment

QS

April 2021
Jack Iu, Henry Su, Gloria Vargas
Dave Brussel, Dave Nickles, and Andrew Glenn, Troy Ameigh, from the AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This guide provides instructions for deploying the Client Connectivity Quick Start reference architecture on the AWS Cloud.

This Quick Start is for users who want a standardized environment that helps organizations with workloads that require connectivity to the SWIFT network. This falls under the compliance guidelines outlined in SWIFT’s Customer Security Program (CSP) Control Framework (CSCF). The CSCF consists of mandatory and advisory security controls for all SWIFT users. This deployment guide includes templates that automate the deployment using recommended settings that align with SWIFT security controls. These templates do not replace the need for customer guidance when implementing SWIFT security controls in the cloud.

AWS can also provide a certification of compliance for the CSP controls under AWS responsibility provided by our AWS Partner Dixio upon request.

The SWIFT components in scope for the baseline deployment include SWIFT messaging interfaces, SWIFT communication interfaces, and SWIFT integration components. For more information, see the SWIFT glossary.

SWIFT Client Connectivity on AWS

This Quick Start was developed and tested using SWIFT components that are typical for most users. Detailed information for installation, configuration, and functionality can be found at mySWIFT Knowledge Centre and through the SWIFT account team.

For this deployment, we used SWIFTNet Link (SNL) to establish a connection to the SWIFT network using SNL release 7.5.00 on RHEL. The Alliance Gateway (SAG) is the interface that connects via SNL and is installed on the same Amazon EC2 instance that runs version 7.5.00. Alliance Messaging Hub (AMH) was tested using release 4.1.2 on the RHEL platform.

In this deployment we also used a virtual private network (VPN) and Hardware Security Module (HSM). These components are VPN boxes ordered from SWIFT that are included in SWIFT’s Alliance Connect Bronze connectivity pack and the HSM security device.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This deployment requires a SWIFT account and software license. To register for a SWIFT account, see How to become a swift.com user?

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) builds the following Client Connectivity environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Client Connectivity on AWS

As shown in Figure 1, this Quick Start sets up the following:

  • An architecture that spans two Availability Zones.

  • A VPC configured with private subnets, according to AWS best practices and in compliance with SWIFT CSP guidance, to provide you with your own virtual network on AWS.

  • In the private subnets:

    • Amazon MQ instances to handle communication for AMH.

    • An Amazon Relational Database Service (Amazon RDS) Oracle instance running in active or standby mode to store configuration and message data for AMH.

    • Amazon Elastic Compute Cloud (Amazon EC2) instances running SWIFT components (AMH or SAA/Lite2 and SAG/SNL).

  • AWS Systems Manager, which removes the need for a jump server.

  • Amazon CloudWatch, which provides the mechanism to store, access, and monitor SWIFT activities.

  • A VPN gateway with load balancing, which connects the VPC to AWS Direct Connect.*

  • AWS Secrets Manager, which encrypts, stores, and retrieves passwords.

  • AWS Direct Connect, which establishes private connectivity between AWS and data centers or colocation environments.*

*The cloud development kit (CDK) that deploys this Quick Start does not cover the components marked by asterisks because this requires a design decision on how to connect to the SWIFT network.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with the SWIFT Connectivity components and software options. SWIFT Connectivity on AWS enables other backend payments applications to interface with the SWIFT network.

Architecture
Figure 2. Sample architecture for Client Connectivity on AWS connecting to SWIFT network via colocation site

This figure shows components that are out of scope for this deployment:

  • This architecture aligns with SWIFT security control 1.1, where it’s mandated that connectivity components be located in a secure zone.

  • VPC endpoints provide connectivity to the following AWS security services:

    • AWS Systems Manager is used to satisfy security controls 2.1, 2.6, 4.2, and 6.4.

    • Amazon CloudWatch is used to satisfy security control 6.4.

    • AWS Secrets Manager is used to satisfy security controls 2.1, 4.1, and 5.4.

  • AMH integrates into the SWIFT product portfolio by providing an abstraction layer for messaging and routing.

  • SAG is a communication interface that connects to SWIFT via a single instance of SNL.

  • AWS Direct Connect is used to connect to the SWIFT network, which, with a colocation site (for example, Interxion or Equinix), hosts the SWIFT HSM for message signing and (optionally) VPN devices for securing connectivity to Backbone Access Points (BAP).

  • HSM device hosted in a colocation data center such as Interxion or Equinix.

  • A BAP is an entry point to the SWIFT network.

Beginning in Q2 of 2022 the new Alliance Connect Virtual option from SWIFT will be available for customers to deploy the VPN on AWS. This architecture is compliant with SWIFT CSP security controls framework.

Architecture
Figure 3. Sample architecture for Client Connectivity on AWS connecting to SWIFT network with virtual VPN

UPDATED May 2022: This figure shows components that are required for the virtual VPN:

  • Launching in Q2 2022 a new Alliance Connect Virtual solution will be available with a CloudFormation template provided by SWIFT.

  • The first version of Alliance Connect Virtual will support internet connectivity to the SWIFT network.

  • An AWS Marketplace subscription is required for the software (only to accept Terms & Conditions).

  • AWS Transit Gateway is a network hub to interconnect the VPCs.

  • AWS Key Management Service is used by the virtual VPN software to safeguard the private keys.

  • Amazon DynamoDB is used to store transient metadata by the virtual VPN software library.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VGW

1

Security groups

5

AWS Identity and Access Management (IAM) roles

4

m5.xlarge instances

4

AWS KMS keys

1

Amazon RDS for Oracle

1

Amazon MQ

1

AWS Secrets Manager

2

VPC endpoints

6

Supported Regions

This Quick Start supports the following Regions:

  • US East (Ohio)

  • US East (N. Virginia)

  • US West (N. California)

  • US West (Oregon)

  • Asia Pacific (Hong Kong)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Milan)

  • Europe (Paris)

  • Europe (Stockholm)

  • Middle East (Bahrain)

  • South America (São Paulo)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare for the CDK deployment

To deploy this stack, you must install Node.js, Python, and CDK.

Setting your environment variables

The CDK requires the AWS_PROFILE variable and --profile parameter.

export AWS_PROFILE=myProfile

Deployment options

This Quick Start provides one deployment option:

  • Deploy Client Connectivity. This option builds a new AWS environment consisting of the VPC, subnets, security groups, and other infrastructure components. It then deploys Client Connectivity into this new VPC. This Quick Start uses CDK.

Deployment steps

Planning the deployment

This deployment is intended for IT security professionals and assumes familiarity with basic security concepts in the areas of networking, operating systems, data encryption, operational controls, and cloud computing. This guide includes an option to host the VPN and HSM components either on-premises or in a colocation site.

This Quick Start requires a moderate to high-level understanding of how to manage SWIFT security control requirements and compliance processes within a hosting environment. This deployment also requires a moderate understanding of the following: Service Quotas, AWS Cloud Development Kit (AWS CDK), and AWS CloudFormation.

The deployment process takes about 15 minutes to complete, and the template launches in the eu-west-1 Region by default.

Launch the Quick Start

To deploy this Quick Start, use AWS CDK and Python. For more information, see Working with the AWS CDK in Python.

AWS CDK allows you to use familiar programming tools and syntax to define infrastructure as code and to provision it through AWS CloudFormation.

  1. Ensure that you have the AWS CDK toolkit installed:

    npm install -g aws-cdk
  2. Verify the installation and check the current version:

    cdk --version
  3. Deploy the resources defined in the SWIFT Connectivity stack:

    git clone https://github.com/aws-quickstart/quickstart-swift-digital-connectivity.git
    cd quickstart-swift-digital-connectivity
  4. Install the application’s dependencies:

    pip install -r requirements.txt
  5. Edit the cdk.json file to reflect your specific environment.

  6. Deploy the AWS CDK Toolkit stack (for more information, see Bootstrapping):

    cdk bootstrap
  7. Deploy the CDK stack:

    cdk deploy

Security

UPDATED May 2022: The below guidance has been updated in accordance with the 2022 Customer Security Controls Framework (CSCF) published by SWIFT.

AWS compliance measures help to streamline, automate, and implement security baselines on the AWS Cloud, from initial design to operational security readiness. This Quick Start includes SWIFT CSP Security Controls, which map to architecture decisions, features, and configuration baselines.

The customer is responsible for deployment and management. This reference architecture provides the infrastructure for SWIFT connectivity, and the CSP matrix provides guidance associated with the controls outlined in appendix G of the SWIFT CSCF. As part of the Shared Responsibility Model, AWS is responsible for protecting the virtualized environment that runs all of the services offered in the AWS Cloud, such as hardware, software, and networking. AWS also provides a certification of compliance for the CSP controls under AWS responsibility provided by our AWS Partner Dixio.

The controls matrix has been updated to include the one possible relevant change regarding the newly added Control 1.5A for architecture A4 leveraging Service Bureaus and the response to all other v2022 updates.

For more information, see SWIFT Security Guidelines for AWS and reference this AWS whitepaper.

FAQ

Q. How do I install the AWS CLI?

A. To install the AWS CLI, see Installing, updating, and uninstalling the AWS CLI. During our testing, we download the SWIFT software packages to get them onto the Amazon EC2 instances for installation. We used an S3 bucket to accomplish this, which requires AWS CLI.

Q. What do I do if my version of Node.js is incompatible?

A. Running the AWS CDK requires the latest version of Node.js (version 10.3.0 or later). To install the latest version, see Node.js.

For Windows, if you have an early version of Node.js installed, you may be required to run the .msi installation as an administrator.

If you have Node.js installed, verify that your version is compatible by running the following:

node --version

The output should be 10.3.0 or later.

Q. How do I obtain a copy of the compliance certification for SWIFT CSP controls under AWS responsibility?

A. Please contact your AWS account team or representative for the certification letter and report.

Q. How do I install Ksh on my Amazon EC2 instance?

A. The SWIFT components (that is, AMH, SAG, and SNL) require Ksh in order to install them. To install Ksh on your EC2 instance, run the following:

sudo yum install ksh

or

sudo dnf install -q bc-1.07.1-5.el8.x86_64 binutils-2.30-58.el8.x86_64 dejavu-fonts-common-2.35-6.el8.noarch dejavu-sans-fonts-2.35-6.el8.noarch elfutils-libelf-0.176-5.el8.x86_64 elfutils-libs-0.176-5.el8.x86_64 fontconfig-2.13.1-3.el8.x86_64 fontconfig-devel-2.13.1-3.el8.x86_64 fontpackages-filesystem-1.44-22.el8.noarch glibc-2.28-72.el8.x86_64 glibc-devel-2.28-72.el8.x86_64 ksh-20120801-252.el8.x86_64 libaio-0.3.112-1.el8.x86_64 libaio-devel-0.3.112-1.el8.x86_64 libgcc-8.3.1-4.5.el8.x86_64 libnsl-2.28-72.el8.x86_64 libstdc++-8.3.1-4.5.el8.x86_64 libstdc++-devel-8.3.1-4.5.el8.x86_64 libX11-1.6.7-1.el8.x86_64 libX11-common-1.6.7-1.el8.noarch libXau-1.0.8-13.el8.x86_64 libxcb-1.13-5.el8.x86_64 libXext-1.3.3-9.el8.x86_64 libXi-1.7.9-7.el8.x86_64 libXmu-1.1.2-12.el8.x86_64 libXrender-0.9.10-7.el8.x86_64 libXrender-devel-0.9.10-7.el8.x86_64 libXt-1.1.5-12.el8.x86_64 libXtst-1.2.3-7.el8.x86_64 make-4.2.1-9.el8.x86_64 net-tools-2.0-0.51.20160912git.el8.x86_64 psmisc-23.1-3.el8.x86_64 smartmontools-6.6-3.el8.x86_64 sysstat-11.7.3-2.el8.x86_64 xorg-x11-xauth-1.0.9-12.el8.x86_64

Troubleshooting

For any issues or questions with installing SWIFT components, see the SWIFT documentation. All SWIFT software is available from the SWIFT download center.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.